Using Python scripts in dirtyJOE

Python scripting in dirtyJOE can be used to modify CONSTANT_Utf8 objects from Constant Pool. One of the main use is decryption of CONSTANT_Utf8 objects in obfuscated .class files. Decrypted objects are useful in forensic analysis, they can be also used to translate obfuscated java application.

Example

I’ll show how to use python scripting on sample obfuscated java malware called Boonana. Mentioned malware appeared in october 2010 and was obfuscated with Zelix KlassMaster 5.3.3E (according to entry in constant pool “ZKM5.3.3E”).

Script should contain only one simple function that will be called by dirtyJOE on each encrypted Utf8 object:

def dj_decryptUTF8(inBuf):
return []

inBuf – input buffer, it is tuple, where each byte of Utf8 string is represented as integer value

return – output buffer should be a list, where each byte of Utf8 string is represented as integer value

Universal script for decrypting Utf8 objects encrypted by Zelix KlassMaster obfuscator can be found in \scripts\ directory. It is very simple, all what is needed is to find proper ‘key’ value:

As it may be noticed, the green part of this subroutine contains key for decryption routine: 48, 16, 127, 16, 97. At this point, script can be tested in dirtyJOE by selecting ‘Run Python Script‘ option from the Constant Pool context menu:

‘Decrypt‘ button is used strictly for script testing purposes, it will show string after decryption in ‘Preview‘ field. After clicking ‘Save‘ button, object will be decrypted again, and user will be prompted by below message box:

When script is finished it can be run on all encrypted Utf8 objects (by choosing ‘Run Python Script on All Utf8 Objects‘ option from the Constant Pool context menu):

‘Decrypt‘ button has similar function as in previous window. After clicking ‘Save‘ button user will be prompted to accept all changes:

4 Comments

On the .class I am reading, reference is “Method: , attribute: Code, bytecode@000000B0”.

After, I go to Dirty-Joe “Methods” tab, I select “” (I presume its not clinit..), the attribute is “code” by default. I double click on the attribute, but there is no “B0” declaration. Its the same thing If I click on “init” method. Am I doing it in the right way ?